Merge branch '6.4.x'

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcBackChannelLogoutAuthentication.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 
 package org.springframework.security.config.annotation.web.configurers.oauth2.client;
 
+import java.io.Serial;
 import java.util.Collections;
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
@@ -36,6 +37,9 @@
  */
 class OidcBackChannelLogoutAuthentication extends AbstractAuthenticationToken {
 
+	@Serial
+	private static final long serialVersionUID = 9095810699956350287L;
+
 	private final OidcLogoutToken logoutToken;
 
 	private final ClientRegistration clientRegistration;

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutAuthenticationToken.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.config.annotation.web.configurers.oauth2.client;
 
+import java.io.Serial;
+
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
@@ -29,6 +31,9 @@
  */
 class OidcLogoutAuthenticationToken extends AbstractAuthenticationToken {
 
+	@Serial
+	private static final long serialVersionUID = -1568528983223505540L;
+
 	private final String logoutToken;
 
 	private final ClientRegistration clientRegistration;

config/src/main/java/org/springframework/security/config/web/server/OidcBackChannelLogoutAuthentication.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 
 package org.springframework.security.config.web.server;
 
+import java.io.Serial;
 import java.util.Collections;
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
@@ -36,6 +37,9 @@
  */
 class OidcBackChannelLogoutAuthentication extends AbstractAuthenticationToken {
 
+	@Serial
+	private static final long serialVersionUID = 9095810699956350287L;
+
 	private final OidcLogoutToken logoutToken;
 
 	private final ClientRegistration clientRegistration;

config/src/main/java/org/springframework/security/config/web/server/OidcLogoutAuthenticationToken.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@
 
 package org.springframework.security.config.web.server;
 
+import java.io.Serial;
+
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
@@ -29,6 +31,9 @@
  */
 class OidcLogoutAuthenticationToken extends AbstractAuthenticationToken {
 
+	@Serial
+	private static final long serialVersionUID = -1568528983223505540L;
+
 	private final String logoutToken;
 
 	private final ClientRegistration clientRegistration;

config/src/test/java/org/springframework/security/SpringSecurityCoreVersionSerializableTests.java

@@ -32,6 +32,7 @@
 import java.nio.file.Paths;
 import java.time.Instant;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
@@ -54,26 +55,42 @@
 import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider;
 import org.springframework.core.type.filter.AssignableTypeFilter;
 import org.springframework.security.access.intercept.RunAsUserToken;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.RememberMeAuthenticationToken;
 import org.springframework.security.authentication.TestAuthentication;
+import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.authentication.jaas.JaasAuthenticationToken;
+import org.springframework.security.authentication.ott.OneTimeTokenAuthenticationToken;
 import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
 import org.springframework.security.cas.authentication.CasAuthenticationToken;
 import org.springframework.security.cas.authentication.CasServiceTicketAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.SpringSecurityCoreVersion;
+import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.session.ReactiveSessionInformation;
 import org.springframework.security.core.session.SessionInformation;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.ldap.userdetails.LdapAuthority;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
 import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
 import org.springframework.security.oauth2.client.authentication.OAuth2AuthorizationCodeAuthenticationToken;
 import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken;
 import org.springframework.security.oauth2.client.authentication.TestOAuth2AuthenticationTokens;
 import org.springframework.security.oauth2.client.authentication.TestOAuth2AuthorizationCodeAuthenticationTokens;
+import org.springframework.security.oauth2.client.oidc.authentication.logout.OidcLogoutToken;
+import org.springframework.security.oauth2.client.oidc.authentication.logout.TestOidcLogoutTokens;
+import org.springframework.security.oauth2.client.oidc.session.OidcSessionInformation;
+import org.springframework.security.oauth2.client.oidc.session.TestOidcSessionInformations;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
+import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
+import org.springframework.security.oauth2.core.OAuth2DeviceCode;
+import org.springframework.security.oauth2.core.OAuth2RefreshToken;
+import org.springframework.security.oauth2.core.OAuth2UserCode;
 import org.springframework.security.oauth2.core.TestOAuth2AccessTokens;
 import org.springframework.security.oauth2.core.TestOAuth2AuthenticatedPrincipals;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
@@ -82,16 +99,30 @@
 import org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationExchanges;
 import org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationRequests;
 import org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationResponses;
+import org.springframework.security.oauth2.core.oidc.OidcIdToken;
 import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
+import org.springframework.security.oauth2.core.oidc.TestOidcIdTokens;
+import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
+import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
+import org.springframework.security.oauth2.core.oidc.user.TestOidcUsers;
 import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
 import org.springframework.security.oauth2.core.user.OAuth2UserAuthority;
 import org.springframework.security.oauth2.core.user.TestOAuth2Users;
+import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.TestJwts;
+import org.springframework.security.oauth2.server.resource.BearerTokenError;
+import org.springframework.security.oauth2.server.resource.BearerTokenErrors;
 import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
 import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthenticationToken;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
+import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionAuthenticatedPrincipal;
 import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;
+import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
+import org.springframework.security.saml2.provider.service.authentication.Saml2PostAuthenticationRequest;
+import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest;
 import org.springframework.security.saml2.provider.service.authentication.TestSaml2Authentications;
+import org.springframework.security.saml2.provider.service.authentication.TestSaml2PostAuthenticationRequests;
+import org.springframework.security.saml2.provider.service.authentication.TestSaml2RedirectAuthenticationRequests;
 import org.springframework.security.web.authentication.WebAuthenticationDetails;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 
@@ -138,6 +169,17 @@ class SpringSecurityCoreVersionSerializableTests {
 				(r) -> new SessionInformation(user, r.alphanumeric(4), new Date(1704378933936L)));
 		generatorByClassName.put(ReactiveSessionInformation.class,
 				(r) -> new ReactiveSessionInformation(user, r.alphanumeric(4), Instant.ofEpochMilli(1704378933936L)));
+		generatorByClassName.put(OAuth2AccessToken.class, (r) -> TestOAuth2AccessTokens.scopes("scope"));
+		generatorByClassName.put(OAuth2DeviceCode.class,
+				(r) -> new OAuth2DeviceCode("token", Instant.now(), Instant.now()));
+		generatorByClassName.put(OAuth2RefreshToken.class,
+				(r) -> new OAuth2RefreshToken("refreshToken", Instant.now(), Instant.now()));
+		generatorByClassName.put(OAuth2UserCode.class,
+				(r) -> new OAuth2UserCode("token", Instant.now(), Instant.now()));
+		generatorByClassName.put(DefaultOidcUser.class, (r) -> TestOidcUsers.create());
+		generatorByClassName.put(OidcUserAuthority.class,
+				(r) -> new OidcUserAuthority(TestOidcIdTokens.idToken().build(),
+						new OidcUserInfo(Map.of("claim", "value")), "claim"));
 
 		// oauth2-client
 		ClientRegistration.Builder clientRegistrationBuilder = TestClientRegistrations.clientRegistration();
@@ -167,6 +209,18 @@ class SpringSecurityCoreVersionSerializableTests {
 			token.setDetails(details);
 			return token;
 		});
+		generatorByClassName.put(OidcIdToken.class, (r) -> TestOidcIdTokens.idToken().build());
+		generatorByClassName.put(OidcLogoutToken.class,
+				(r) -> TestOidcLogoutTokens.withSessionId("issuer", "sessionId").issuedAt(Instant.now()).build());
+		generatorByClassName.put(OidcSessionInformation.class, (r) -> TestOidcSessionInformations.create());
+		generatorByClassName.put(DefaultOAuth2AuthenticatedPrincipal.class, (r) -> {
+			OAuth2AuthenticatedPrincipal principal = TestOAuth2AuthenticatedPrincipals.active();
+			return new DefaultOAuth2AuthenticatedPrincipal(principal.getName(), principal.getAttributes(),
+					(Collection<GrantedAuthority>) principal.getAuthorities());
+		});
+
+		// oauth2-jwt
+		generatorByClassName.put(Jwt.class, (r) -> TestJwts.user());
 
 		// oauth2-resource-server
 		generatorByClassName
@@ -192,6 +246,9 @@ class SpringSecurityCoreVersionSerializableTests {
 			token.setDetails(details);
 			return token;
 		});
+		generatorByClassName.put(BearerTokenError.class, (r) -> BearerTokenErrors.invalidToken("invalid token"));
+		generatorByClassName.put(OAuth2IntrospectionAuthenticatedPrincipal.class,
+				(r) -> TestOAuth2AuthenticatedPrincipals.active());
 
 		// core
 		generatorByClassName.put(RunAsUserToken.class, (r) -> {
@@ -215,6 +272,11 @@ class SpringSecurityCoreVersionSerializableTests {
 			token.setDetails(details);
 			return token;
 		});
+		generatorByClassName.put(OneTimeTokenAuthenticationToken.class,
+				(r) -> applyDetails(new OneTimeTokenAuthenticationToken("username", "token")));
+
+		generatorByClassName.put(TestingAuthenticationToken.class,
+				(r) -> applyDetails(new TestingAuthenticationToken("username", "password")));
 
 		// cas
 		generatorByClassName.put(CasServiceTicketAuthenticationToken.class, (r) -> {
@@ -234,11 +296,25 @@ class SpringSecurityCoreVersionSerializableTests {
 			return token;
 		});
 
+		// ldap
+		generatorByClassName.put(LdapAuthority.class,
+				(r) -> new LdapAuthority("USER", "username", Map.of("attribute", List.of("value1", "value2"))));
+
 		// saml2-service-provider
 		generatorByClassName.put(DefaultSaml2AuthenticatedPrincipal.class,
 				(r) -> TestSaml2Authentications.authentication().getPrincipal());
+		generatorByClassName.put(Saml2Authentication.class,
+				(r) -> applyDetails(TestSaml2Authentications.authentication()));
+		generatorByClassName.put(Saml2PostAuthenticationRequest.class,
+				(r) -> TestSaml2PostAuthenticationRequests.create());
+		generatorByClassName.put(Saml2RedirectAuthenticationRequest.class,
+				(r) -> TestSaml2RedirectAuthenticationRequests.create());
 
 		// web
+		generatorByClassName.put(AnonymousAuthenticationToken.class, (r) -> {
+			Collection<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_USER");
+			return applyDetails(new AnonymousAuthenticationToken("key", "username", authorities));
+		});
 		generatorByClassName.put(PreAuthenticatedAuthenticationToken.class, (r) -> {
 			PreAuthenticatedAuthenticationToken token = new PreAuthenticatedAuthenticationToken(user, "creds",
 					user.getAuthorities());
@@ -361,6 +437,12 @@ private static InstancioApi<?> instancioWithDefaults(Class<?> clazz) {
 		return instancio;
 	}
 
+	private static <T extends AbstractAuthenticationToken> T applyDetails(T authentication) {
+		WebAuthenticationDetails details = new WebAuthenticationDetails("remote", "sessionId");
+		authentication.setDetails(details);
+		return authentication;
+	}
+
 	private static String getCurrentVersion() {
 		String version = System.getProperty("springSecurityVersion");
 		String[] parts = version.split("\\.");